Privacy in 2022: A Look Back

Privacy is the right of an individual to be left alone, or the freedom from any interference. It is the right to have control over how an individual’s personal information is collected and used. Most people do not want everybody to know everything about them, hence privacy is helpful to reduce the social friction we encounter.  As technology gets more sophisticated and people engage more with institutions/organizations/individuals, more data is being collected and exchanged. With this innovation, privacy is becoming more complex, and this leaves organizations with a complex risk matrix and with an obligation for ensuring that personal information is protected. As a result, protection of privacy has become of the utmost importance. 

In the early days of computerization, the Chief Information Officer (CIO) had the responsibility of data policies, storage, privacy along with designing of architecture, its constituent servers, personal computers, software, networking, and security systems; this role was so limited since in the early days, computerization was typically based on on-premises computing and data centers.  

In the late 1990s, with the advent of the federal, provincial, and sectoral laws such as EU GDPR's predecessor, being EU Data Protection Directive; Children's Online Privacy Protection Act, Gramm Leach Bliley Act for financial establishments, Health Insurance Portability and Accountability Act for healthcare establishments, etc.; safeguarding against external and internal threats became of utmost importance. Thus, the next decade, i.e., the early 2000s saw the evolution of cyber security with the advent of intrusion detection and prevention solutions such as antivirus, web-application security, database security, security system management, etc. 

The late 2000s saw the rapid adoption of cloud computing services model such as Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS) coupled with revolution in Internet of Things (IoT) and Bring-Your-Own-Device (BYOD) models, causing a shift in the whole IT landscape impacting cyber security, compliances, and data privacy. 

Thus, as discussed, the role of CIO was not limited anymore; the CIOs were now managing data encryption, anonymization, password management along with managing privacy aspects in the world of cloud, mobility and IoT, preventing data from hackers and insider threats, and managing more stringent guidelines related to data, especially sensitive data. 

With the adoption of the General Data Protection Regulation (GDPR) in 2018, the legislation has become the baseline for new data protection laws across the globe. Many lawmakers around the world have sought parity with GDPR in hopes that such parity will allow a free data flow between their country and the European market. So, what is the status of privacy during the pandemic, post-pandemic and what does the future entail? Let us look at the same below. 

Digital transformation was already rising in the early 2000s and with the COVID-19, generation of data, its variety and volume has increased rapidly. This is due to the rising volume of attacks appearing from rapid adoption of cloud, IoT devices, IT penetration in automotive, wearables, telecoms, smart cities, utilities, and other verticals. Moreover, the rise of freelancing and remote/hybrid working has also added to the mass of attacks and vulnerabilities.  

Many countries where work from home has been adopted, with video conferencing services, malware, ransomware, and the Dark Web; despite advances in cybersecurity measures, cyber-attacks have increased by three times. Some of the notable data breaches and data leakages were the Sunburst SolarWinds attack, the discovery of Facebook and MGM Resorts confidential data on the Dark Web, the resurgence of WannaCry and other ransomware attacks, along with the Mozi BotNet. Besides attacks on customers and critical infrastructures, there have been incidents across the digital supply chain, especially using vulnerabilities such as Log4j. 

The key team of the organization such as the CISOs, legal, risk and governance teams have been working together to categorize the risks and assessments; and estimating cost of breaches and damages, implementing cyber security frameworks and technologies, and crystallizing policies. Technologies such as cybersecurity, artificial intelligence and blockchain mesh architecture are being harnessed by organizations to have a more automated, intelligent, and stringent adherence to regulations. 

For multinational organizations, it is of paramount importance for CISOs and leaders to have an in-depth knowledge of country specific data privacy laws, especially those handling sensitive data and employee data. Irrespective of company size, it is critical to have a clear privacy policy explaining to users of data across the extended enterprise as to the type of data collected, its usage and purpose, shareability and security. This should also cover accepting, retention and disabling of cookies. The management teams are working together to balance risk, transparency, stakeholder satisfaction as well as compliance of the organizations. The policies must balance risk, prioritization, breach/damage, compensations, and operational and reporting costs. Some companies have appointed Chief Privacy Officers who are custodians and are responsible to overlook the functions mentioned above as well as to uphold privacy.  

In recent years, data privacy has shifted from a mere topic of discussion to a regulatory requirement and a demand from many customers. Businesses can no longer wait for the legislation to align with the privacy regulations and protect consumer data. Instead, they must have a reasonable strategy for managing the privacy risks and complications. 2022 saw a series of shifts in the data privacy landscape, and the momentum of this change is not expected to slow down. So, what will be the new normal in the privacy landscape? Below are some trends. 

With the effects of the pandemic, a lot of organizations had to provide their employees with a flexibility of working remotely, also called Work-From-Home (WFH). To ensure that the employees are using their time in an efficient manner and are not abusing the relaxations provided to them, the organizations may have implemented surveillance software’s to ensure the same in this work arrangement. These surveillance and monitoring technologies can be considered intrusive and may breach data privacy requirements. To ensure the protection of the privacy of the employees and access relevant risks potentially faced by the organizations, the Data Protection Officers (DPOs) will need to check this software to ensure that the employees work ethics are aligned with their role while ensuring that employee personal data is not breached.

From the organizations’ perspective, the remote/hybrid working structure has financially benefited the organizations in a lot of ways; therefore, the DPOs along with the business management teams will have to be abreast with the developments in the privacy practices and review WFH policies to align with continued ways of remote/hybrid working. 

Digitalization, at an extremely fast pace, caused due to pandemic; created many risks and vulnerabilities leading to an increase in breaches. With governments opening borders and supplying more relaxations, pandemic-related tracing activities, such as verification and monitoring of vaccinated individuals, the implementation of vaccinated travel lanes; pose risks to organizations if data is not collected and processed appropriately. Privacy policies of organizations can provide the most insight into the purpose behind the collection and processing of the individual’s data; therefore, it is good practice to make it a habit to read the privacy policy before registering on a website, downloading an app, signing up for a membership, etc.

The world is undergoing one of the biggest transformations ever, which is shifting to digitization. But, with the rise of the digital world comes an increase in data privacy laws to protect the large volumes of personal and sensitive personal data and for improving data governance. The regulatory landscape is making it challenging for organizations to follow the specific requirements on time, therefore, 2022 has seen an increase in the frequency and severity of the regulatory fines. 

Further, the newer privacy legislations are being implemented with significantly harsher noncompliance fines. The newly enacted Personal Information Protection Law (PIPL) in China penalizes the organizations up to 5% of its annual revenue (compared to the GDPR at 2-4% of annual global turnover) and includes potential criminal penalties. Also, as consumers are being aware of their rights in respect to their data and for protecting their privacy; we have seen an increase in the number of data subject requests and complaints in 2022. 

There is the continued adoption as a need of approval, for organizations to prove data protection accountability. Furthermore, certain organizations have come up with their own best practices and benchmarks, which have been welcomed by the industry. These benchmarks are the certifications by the International Association of Privacy Professional (IAPP) and OneTrust. Other country-based certifications are the adoption of Singapore’s Data Protection Trustmark (DPTM), the Credence Data Trust Rating System, the Philippine Privacy Trust Mark (PPTM), etc. 

The organizations are more conscious of conducting audits, having regular assessments, and obtaining subsequent data protection certifications, is because trust of all the stakeholders in the organizations, such as employees, business partners, and customers depends on the security of your data. By obtaining and updating the data protection certification for your business, the organization proves that the personal data collected and processed by them receives excellent security and privacy treatment.

In the ASEAN region, the Singapore and the Philippines authorities continue to lead their way in encouraging data protection officers and professionals to get certified. On a personal front, more individuals are seeking formal training and are seeking guidance from privacy experts to pursue their jobs and advance their careers. With the intention to upskill and with the motive to excel at their role, these individuals are now focusing on obtaining the privacy professionals certifications, such as CIPP, CIPM, CIPT, FIP, etc.

From mandatory business shutdowns and massive layoffs to worker burnout and a wave of resignations, the job market has seen some major changes over the last year; this is known as the “Great Resignation.” Although the cybersecurity workforce shortage has decreased over the past year, cybersecurity has also affected by the events of the past, with the increase in the job transitions and resignations. Due to heavy workloads, employee burnout, and the lack of career advancement opportunities, the demand for data privacy professionals is continuing to outpace the supply of personnel. Privacy teams were thus forced to continue the navigation of its regulatory landscape and to defend against evolving privacy risks with fewer resources than ever.

In 2022, for the employers, the struggle was to recruit, hire, and retain privacy talent during a global cybersecurity workforce shortage and the great resignation, while balancing the growing percentage of job hoppers. 

The privacy landscape is changing rapidly, and this year has seen a lot of organizations being penalized for being unprepared and not following the privacy legislations. Various industries are steadily adopting cloud storage services,’ coupled with digital transformation, drives the adoption of new digital tools and software, embedding end-to-end privacy measures like Privacy by Design. To align with the influx of new privacy laws and amendments, many organizations are appointing DPOs to oversee and review their compliances and data protection strategies. This year has seen an importance in the appointment of a DPO and an expansion in their role, especially as their responsibilities involve ensuring a holistic view of data privacy and security.

The demand for a DPO has steadily increased, rising by over 700% over the last five years. The newer privacy legislations share many similarities with the GDPR, including the requirement of appointing a DPO for organizations processing personal information. Furthermore, the IAPP estimates that more than 500,000 organizations will need to appoint a DPO in the next few years. As organizations process, store, transfer more data across borders, now than ever, and the privacy landscape becomes a tangled web of regulations, the importance of a DPO will grow and shall keep growing in the coming years. 

Advertisers are seeing an importance of zero and first-party data and are shifting from third-party cookies. First party data, which is the data given directly by the user, is considered more trustworthy than second and third-party data, which is reviewed through numerous routes before reaching the advertiser. Personal data that a client proactively provides to an organization is referred to as zero-party data. The difference between the two is that the zero-party data comes from customer surveys and polls, but first-party data comes from customer web activity. With the growing popularity of first-party data, advertisers are increasingly interested in investing in direct partnerships with organizations.

Big Tech can collect first-party data with consent and bank it. With this data, they can attract advertisers who are looking for a specific audience. Looking at the future; publishers, advertisers and Big Tech are now changing how they monetize their content and collect data. We are now expecting a push for consent driven data collection to tap into first-party data. With this, we should see a cookie-less future. 

Consumers are more likely to choose companies that are transparent and honest about their personal data collection and usage. 2022 has seen a rising demand from the customers wanting full access and control over their data. These rights include having the choice to access their data, delete, download, or view any personal data that the organization collects/processes. With the demand for data privacy increasing, the time that organizations must respond to privacy issues and data requests is decreasing. For this reason, organizations are turning to technology, a centralized platform like PrivacyOps; to help them respond to requests faster.

A lot of organizations outside of the European Union have massive amounts of data stored away and these organizations do not have a plan of the usage of such data; they wanted as much of it as they could rummage. As regulations continue to redefine the applicable practices; what organizations do with these data graveyards is of immense value for the industry, as a whole and to the individuals as well. These wastelands are a significant financial burden and therefore, with stricter guidelines, the organizations are making the utmost use of the customers’ data. Many of the tools/software that the organizations have relied on in recent years may be forced out of existence either through legislation or by way of public opinion. This shift will force the professionals to revisit more traditional engagements and inculcate the development processes, strategies to create a new audience. 

As discussed hereinabove, with the increase in digitization, digital literacy is an important quality that a citizen may have. The users roll out vast amounts of information on social media, thus, giving birth to disinformation such as fake news, which gets weaponized to trigger outrage and aggression. Privacy and personal data have reached an intense intersection. With growing regulations, the privacy landscape will take a different shape in the next five years, however, with awareness, individuals will be exercising more of their data subjects’ rights. Thus, we can confirm that disinformation will not end without a fight. 

As discussed, during the pandemic, most organizations shifted their work to a remote/hybrid setting and this raised the question of security in the digital environment. Though there are digital workspace security policies in place, there is still scope for developments that the organization can work upon. Now, with the relaxations, returning to office feels more realistic; a lot of organizations have set out policies to balance the benefits and challenges of remote and onsite office environments. When it comes to cybersecurity, the hybrid rules have started to bring in more clarity and this has become a new normal for both, the organizations, and the employees. 

For a lot of organizations, data science is still a new field and thus, struggle to find engineers and developers who are ready to dive into data and understand its capabilities and applicability; finding privacy-oriented data professionals adds another complication. Thus, organizations are relying on new privacy-centric training practices for their employees. The top personnel, such as Chief Information Security Officers and Chief Data Officers have managed data procurement, storage, and application. These leaders are now leading new policies, procedures, and best practices to help guide their teams through this transition and set up a privacy-centric vision for their organization and for the industry.

The digital transformation of business operations and individuals’ habits is escalating the amount of data collected and processed. To effectively follow the ever-evolving privacy landscape; the laws and regulations are very soon catching-up with the technology and the organizations should keep an eye on the latest enforcement actions, interpret the legislations and incorporate the privacy and security best practices. 

There is an essential need to rethink the data-driven competitive advantages. The legislations, now, does not leave any room for ambiguity around “whether” data compliance trends will coincide with strict regulations or not. Rather, it is only a question of “when” it will intersect.  

The trend of 2022 clarifies that the privacy programs can evolve beyond compliance and risk management to build trusted customer relationships worldwide. With this vision, privacy professionals should be striving to build privacy by default, support data lifecycle, inform individuals of their rights and be transparent of how to manage and govern data, to use automation in their favor.